Do Android users really need malware protection?

Adrian Ludwig, lead engineer for Android security at Google, spoke to journalists prior to Google’s I/O developers’ conference and said that Android users who install antivirus and other security apps on their devices are no better off than those who don’t. The risk of potentially harmful applications is “significantly overstated” he believes, and there’s no need for anyone to install any form of third party protection.

“I think … paying for a product that you will probably never actually receive protection from is not a rational reduction of risk — but people buy things for lots of reasons”, he said. Security expert Graham Cluley, who worked for Sophos for 14 years, disagrees. In a blog post he says Ludwig is “wrong, wrong, wrong”. Two very opposing views. So who’s right?

Ludwig suggested users can stay safe by running the latest Android version. This, Cluley points out, is easier said than done. “Unfortunately, the way that Android devices are updated with new OS versions is a much more hit-and-miss affair than iPhones — leaving it to Google, service providers and handset manufacturers to all agree and co-ordinate with the rollout of an update. Sometimes, little more than a year after a new Android handset is launched, the company will reveal it is not going to release any more OS updates for it”.

Ludwig also claimed “By the time a user goes to install an app [from Google Play] they’ve had … the best review of that application that is possible”. Cluley counters that with examples of malware and bogus apps which have been found in Google’s app store, including a fake BlackBerry BBM app and bogus anti-virus products.

There is no question that downloading apps from Google Play is much, much safer than downloading them from other third-party stores, but rogue apps do occasionally slip through. Apple’s App Store’s review process is much more rigorous than Google’s, and this shows in the lack of malicious apps reported on iOS. While Google had 275 reported threats in Q1 2014, Apple had just one, and that only affected jailbroken devices.

In 2013 F-Secure reported that 97 percent of mobile malware was designed to run on Google’s OS. In Q1 2014 that had risen to 99 percent of new threats. So it’s fair to say that Android does have a malware problem, but it’s important to put the risks in context.

According to F-Secure, the percentage of apps carrying malware on Google’s official Play Store was just 0.1 percent in 2013. So while there is a risk of downloading something malicious, you’d have to be very, very unlucky to do so. Infected apps also tend to have a short shelf life as Google acts swiftly to remove them.

Download Android apps from elsewhere, and it’s a different story. The chances of picking up a malicious app in a third-party app store (excluding Amazon’s Appstore) are much greater. Where you live can also play a big role in your chances of finding malware — many users in developing nations get their apps from outside Google.

That said, according to F-Secure, in Q1 2014 users in the UK reported the most malware infections — between 15-20 infected apps per 10,000 users.

So should you install an antivirus app, or other form of security tool? It depends. If you download a lot of apps from a variety of locations, you’re far more at risk than if you download a handful a year just from Google Play. And if you stick to big name apps from Google’s app store, then your chances of getting a rogue app are reduced further.

Android’s Adrian Ludwig said “If I were to be in a line of work where I need that type of protection it would make sense for me to do that. [But] do I think the average user on Android needs to install [anti-virus]? Absolutely not”.

You’d be foolish to blindly trust Google’s vetting process to keep you safe, and there’s no harm in installing a security app, so long as you pick one from a reputable company with a history of protecting against malware — the likes of Bitdefender, Avast, Lookout and AVG.

But whether you need one… well that will depend on you. Ludwig and Cluley both have opposing views on the subject, but the best way to keep your phone safe from infection remains, as always, by using common sense and avoiding taking pointless risks.